More restrictive filename/version requirements in API file retrieval

Prevents server errors from being generated when the filename is "bad" and when the user specifies a non-integer version. This is for superevent files; event files are handled separately, although this should be unified at some point.

More restrictive filename/version requirements in API file retrieval
1396570f · Tanner Prestegard · GraceDB · 55675362 · 1396570f · 1396570f
Commit 1396570f authored 6 years ago by Tanner Prestegard Committed by GraceDB 6 years ago
--- a/gracedb/api/v1/superevents/views.py
+++ b/gracedb/api/v1/superevents/views.py
@@ -16,7 +16,7 @@ from rest_framework.views import APIView

 from core.file_utils import get_file_list
 from core.http import check_and_serve_file
-from core.vfile import VersionedFile
+from core.vfile import VersionedFile, FileVersionError, FileVersionNameError
 from events.models import Event, Label
 from events.view_utils import reverse as gracedb_reverse
 from superevents.buildVOEvent import VOEventBuilderException
@@ -275,7 +275,17 @@ class SupereventFileViewSet(InheritDefaultPermissionsMixin,
        full_filename = self.kwargs.get(self.lookup_url_kwarg)

        # Try to split into name,version (for log lookup)
-        filename, version = Log.split_versioned_filename(full_filename)
+        try:
+            filename, version = Log.split_versioned_filename(full_filename)
+        except FileVersionError as e:
+            # Bad version specifier
+            return Response('File not found, version string should be an int',
+                status=status.HTTP_404_NOT_FOUND)
+        except FileVersionNameError as e:
+            # File name doesn't match versioning scheme (likely has a comma
+            # in it that isn't part of the versioning scheme)
+            return Response(('Invalid filename: filename should not contain '
+                'commas'), status=status.HTTP_400_BAD_REQUEST)

        # Get logs which are viewable by the current user and
        # have files attached

--- a/gracedb/core/vfile.py
+++ b/gracedb/core/vfile.py
@@ -13,6 +13,17 @@ import logging
 logger = logging.getLogger(__name__)


+class FileVersionError(Exception):
+    # Problem with file version (likely not an int)
+    pass
+
+
+class FileVersionNameError(Exception):
+    # Problem with filename (likely has an extra comma somewhere in the
+    # filename)
+    pass
+
+
 class VersionedFile(file):
    """
    Open a versioned file.
@@ -149,13 +160,19 @@ class VersionedFile(file):
        if len(result) == 2:
            filename = result[0]
            version = result[1]
+
+            # Version is a string here, try to convert it to an int
+            try:
+                version = int(version)
+            except ValueError as e:
+                raise FileVersionError('Bad version specifier')
        elif len(result) == 1:
            filename = result[0]
            version = None
        else:
            err = 'Filename {0} does not match versioning scheme'.format(
                versioned_name)
-            raise ValueError(err)
+            raise FileVersionNameError(err)

        return filename, version